Recovery From Failure in a Dynamic Scalable Services Mesh

ABSTRACT

The technology discloses a method of improved recovery from failure of a service instance in a service chain. Instances AA, BA and BB perform services A and B respectively. Instance BA receives from instance AA a first packet that includes an added header with a stream affinity code consistent for packets in the stream. Instance BA with a primary role specified in a distributed service map processes the packet. BA identifies BB as having a secondary role for packets carrying the code and synchronizes BA state information with BB after processing the packet. After failure of instance BA, instance AA receives an updated service map prepares to forward a second packet, with the same code as the first packet, to BA. After determining from the updated map that BA is no longer available and instance BB has the secondary role, AA forwards the second packet to BB, instead of BA.

PRIORITY DATA

This application claims the benefit of U.S. Provisional PatentApplication No. 62/812,791, entitled “RECOVERY FROM FAILURE IN A DYNAMICSCALABLE SERVICES MESH,” filed on Mar. 1, 2019 (Attorney Docket No. NSKO1025-2) and the benefit of U.S. Provisional Patent Application No.62/812,760 entitled “LOAD BALANCING IN A DYNAMIC SCALABLE SERVICESMESH,” (Attorney Docket No. NSKO 1025-1) filed Mar. 1, 2019. Theprovisional applications are incorporated by reference for all purposes.

INCORPORATIONS

The following materials are incorporated by reference in this filing:

US Non Provisional Patent Application entitled “LOAD BALANCING IN ADYNAMIC SCALABLE SERVICES MESH,” by Ravi ITHAL and Umesh Muniyappa,(Attorney Docket No. NSKO 1025-3) filed contemporaneously.

US Non Provisional application Ser. No. 14/198,508, entitled “SECURITYFOR NETWORK DELIVERED SERVICES”, filed on March 05, 2014 (AttorneyDocket No. NSKO 1000-3) (now U.S. Pat. No. 9,270,765, issued Feb. 23,2016),

U.S. Non Provisional application Ser. No. 14/198,499, entitled “SECURITYFOR NETWORK DELIVERED SERVICES”, filed Mar. 5, 2014 (Attorney Docket No.NSKO 1000-2) (now U.S. Pat. No. 9,398,102, issued on Jul. 19, 2016),

U.S. Non Provisional application Ser. No. 14/835,640, entitled “SYSTEMSAND METHODS OF MONITORING AND CONTROLLING ENTERPRISE INFORMATION STOREDON A CLOUD COMPUTING SERVICE (CCS)”, filed on Aug. 25, 2015 (AttorneyDocket No. NSKO 1001-2) (now U.S. Pat. No. 9,928,377, issued on Mar. 27,2018),

U.S. Non Provisional application Ser. No. 15/368,246, entitled “MIDDLEWARE SECURITY LAYER FOR CLOUD COMPUTING SERVICES”, filed on Dec. 2, 2016(Attorney Docket No. NSKO 1003-3), which claims the benefit of U.S.Provisional Application No. 62/307,305, entitled “SYSTEMS AND METHODS OFENFORCING MULTI-PART POLICIES ON DATA-DEFICIENT TRANSACTIONS OF CLOUDCOMPUTING SERVICES”, filed on Mar. 11, 2016 (Attorney Docket No. NSKO1003-1),

“Cloud Security for Dummies, Netskope Special Edition” by Cheng, Ithal,Narayanaswamy, and Malmskog, John Wiley & Sons, Inc. 2015,

“Netskope Introspection” by Netskope, Inc.,

“Data Loss Prevention and Monitoring in the Cloud” by Netskope, Inc.,

“Cloud Data Loss Prevention Reference Architecture” by Netskope, Inc.,

“The 5 Steps to Cloud Confidence” by Netskope, Inc.,

“The Netskope Active Platform” by Netskope, Inc.

“The Netskope Advantage: Three “Must-Have” Requirements for Cloud AccessSecurity Brokers” by Netskope, Inc.,

“The 15 Critical CASB Use Cases” by Netskope, Inc.

“Netskope Active Cloud DLP” by Netskope, Inc.,

“Repave the Cloud-Data Breach Collision Course” by Netskope, Inc.; and

“Netskope Cloud Confidence Index™” by Netskope, Inc.

which are incorporated by reference for all purposes as if fully setforth herein.

FIELD OF THE TECHNOLOGY DISCLOSED

The technology disclosed relates generally to security for networkdelivered services, and in particular relates to improved recovery fromfailure and load balancing in a dynamic service chain with a cloudaccess security broker (CASB), for reducing latency and increasingavailability and scalability in flexibly configurable data paths throughservice chains while applying security services in the cloud.

BACKGROUND

The subject matter discussed in this section should not be assumed to beprior art merely as a result of its mention in this section. Similarly,a problem mentioned in this section or associated with the subjectmatter provided as background should not be assumed to have beenpreviously recognized in the prior art. The subject matter in thissection merely represents different approaches, which in and ofthemselves can also correspond to implementations of the claimedtechnology.

The use of cloud services for corporate functionality is common.According to International Data Corporation, almost half of allinformation technology (IT) spending will be cloud-based in 2018,“reaching 60% of all IT infrastructure and 60-70% of all software,services and technology spending by 2020.” For example, enterprisecompanies often utilize software as a service (SaaS) solutions insteadof installing servers within the corporate network to deliver services.

Data is the lifeblood of many businesses and must be effectively managedand protected. With the increased adoption of cloud services, companiesof all sizes are relying on the cloud to create, edit and store data.This presents new challenges as users access cloud services frommultiple devices and share data, including with people outside of anorganization. It is easy for data to get out of an organization'scontrol.

Customers want to be able to securely send all of their data betweencustomer branches and data centers. *All* data includes peer-to-peerfile sharing (P2P) via protocols for portal traffic such as BitTorrent(BT), user data protocol (UDP) streaming and file transfer protocol(FTP); voice, video and messaging multimedia communication sessions suchas instant message over Internet Protocol (IP) and mobile phone callingover LTE (VoLTE) via the Session Initiation Protocol (SIP) and Skype;Internet traffic, cloud application data, and generic routingencapsulation (GRE) data. As an example of the size of the P2P filesharing segment of data that needs to be handled securely, BitTorrent,one common protocol for transferring large files such as digital videofiles containing TV shows or video clips or digital audio filescontaining songs, had 15-27 million concurrent users at any time and wasutilized by 150 million active users as of 2013. Based on these figures,the total number of monthly BitTorrent users was estimated at more thana quarter of a billion, with BitTorrent responsible for 3.35% ofworldwide bandwidth, more than half of the 6% of total bandwidthdedicated to file sharing.

As the number of data sources increases, there are hundreds of ways datacan be compromised. Employees might send a wrong file, not be carefulwhen rushing to a deadline, or share data and collaborate with peopleoutside of their organization. The native cloud storage sync clientsalso pose a significant risk to organizations. A continuous sync takesplace between the end point and the cloud service without employeesrealizing they may be leaking confidential company information. In oneuse case, companies may want to allow employees and contractors to makevoice calls and participate in video conferences, while not enablingthem to transfer files over LTE via SIP and Skype. In another example,an enterprise may want to enable their users to view videos and not beable to upload or download video content files.

Accordingly, it is vital to facilitate the use of cloud services sopeople can continue to be productive and use the best tools for the jobwithout compromising sensitive information such as intellectualproperty, non-public financials, strategic plans, customer lists,personally identifiable information belonging to customers or employees,and the like.

An opportunity arises to apply security services to all customer trafficwhile reducing latency and increasing availability and scalability inflexibly configurable data paths in a services mesh through servicechains, expanding beyond cloud apps and web traffic firewalls tosecurely process P2P traffic over BT, FTP and UDP-based streamingprotocols as well as Skype, voice, video and messaging multimediacommunication sessions over SIP and web traffic over other protocols.

BRIEF DESCRIPTION OF THE DRAWINGS

In the drawings, like reference characters generally refer to like partsthroughout the different views. Also, the drawings are not necessarilyto scale, with an emphasis instead generally being placed uponillustrating the principles of the technology disclosed. In thefollowing description, various implementations of the technologydisclosed are described with reference to the following drawings.

FIG. 1A illustrates an architectural level schematic of a system forload balancing in a dynamic service chain, including reducing latencyand increasing availability and scalability in flexibly configurabledata paths through service chains while applying security services inthe cloud.

FIG. 1B shows a block diagram for load balancing in a dynamic servicechain.

FIG. 2A shows a block diagram for security services at a data center,according to one implementation of the disclosed technology.

FIG. 2B illustrates a block diagram for a representative pod of FIG. 2Aand shows the flow of a packet to a core for processing.

FIG. 3 shows an exemplary packet structure after a network serviceheader is imposed on a packet.

FIG. 4A illustrates an example disclosed system for synchronization ofstates across multiple pods that supply a service, for improved recoveryfrom failure of a service instance in a service map.

FIG. 4B shows an example, with service instances that perform services Aand B, respectively, in a service chain.

FIG. 5 illustrates a representative method of load balancing in adynamic service chain, for reducing latency and increasing availabilityand scalability in flexibly configurable data paths through servicechains while applying security services.

FIG. 6 is a simplified block diagram of a computer system that can beused to implement load balancing in a dynamic service chain, and forimproved recovery from failure of a service instance in a service chain.

FIG. 7 shows a representative method for improved recovery from failureof a service instance in a service chain that performs at least servicesA and B, using service instance AA and service instances BA and BB toperform the services A and B, respectively.

DETAILED DESCRIPTION

The following detailed description is made with reference to thefigures. Sample implementations are described to illustrate thetechnology disclosed, not to limit its scope, which is defined by theclaims. Those of ordinary skill in the art will recognize a variety ofequivalent variations on the description that follows.

Existing approaches for applying security services to customer trafficinclude a security device point of presence (PoP) in the path of dataflow between customer branches of organization networks and data centersaccessed in the cloud via the Internet.

Organizations want to utilize a single security service that can applysecurity services to all customer traffic, expanding beyond cloud appsand web traffic firewalls to securely process P2P traffic over BT, FTPand UDP-based streaming protocols as well as Skype, voice, video andmessaging multimedia communication sessions over SIP, and web trafficover other protocols. In one example, the security service needs toallow employees and contractors at an organization to make calls, butnot transfer files, a policy that the service can enforce by encoding aSIP control channel and data channel. The enforcement of this policynecessitates more than a SIP proxy to enable the ability to anticipatewhere the data is getting transferred, and the ability to either avoidor block that channel, based on information in the channel. A streamingagent sending traffic looks at the port only, so needs to know allavailable ports before sending. If handling all protocols, the securityservice can catch web traffic over non-standard ports, but it is hard togather the traffic. An existing workaround for securing files from beingtransferred is to block access to ports, but security services want toload everything, safely—not block ports. P2P data packets try standardports first, and then often fall back, hopping from port to port, whichalso limits the usefulness of blocking a port, because the P2P dataservice can hop to a different port.

Security administrators can install security service devices in each ofthe customer branches of organization networks, in data centers andheadquarters, to create a management network for applying securitypolicies, so that all traffic goes through security devices. On-premisesecurity administrators would then be responsible for managingdeployment to ensure high availability of devices with failovermanagement, managing software life cycles with patches, andadministering upgrades to respond to hardware life cycles. Issues forthis hands-on approach to security include scaling when company sizechanges and load balancing for ensuring adequate service availability asdata loads vary.

The disclosed technology for load balancing in a dynamic service chainoffers a security services platform that scales horizontally anduniformly to administer customized security services and policies fororganizations and avoids single points of failure. Security servicescustomers using the disclosed technology are able to specify whichsecurity services apply for different types of tenant data, and tocustomize security policies for the data being transmitted via thedevices of their organizations. Tenant configurations can be documentedusing a service chain to specify the path for the flow of data packetsthat are to be sequentially routed to multiple security services for thespecific tenant. The tenant configuration specifies the ordered sequenceof services in a service chain for the customer. The subsequent dynamicsteering of traffic flows of data packets through the ordered set ofservices needs to be fast to provide acceptable security services fortenants. Also, new third party services can be deployed using thesecurity services platform, without affecting existing flows of packets.Additional disclosed technology for improved recovery from failure of aservice instance in a service chain identifies primary and secondaryroles for service instances and synchronizes state information whenprocessing packets, to improve recovery from failure of serviceinstances. An example system for load balancing of a dynamic servicechain is described next.

Architecture

FIG. 1A shows an architectural level schematic of a system 100 for loadbalancing in a dynamic service chain, and for reducing latency andincreasing availability and scalability in flexibly configurable datapaths through service chains while applying security services in thecloud. Because FIG. 1A is an architectural diagram, certain details areintentionally omitted to improve clarity of the description. Thediscussion of FIG. 1A will be organized as follows. First, the elementsof the figure will be described, followed by their interconnections.Then, the use of the elements in the system will be described in greaterdetail.

System 100 includes organization network 102, data center 152 withNetskope cloud access security broker (N-CASB) 155 and cloud-basedservices 108. System 100 includes multiple organization networks 104 formultiple subscribers, also referred to as multi-tenant networks, of asecurity services provider and multiple data centers 154, which aresometimes referred to as branches. Organization network 102 includescomputers 112 a-n, tablets 122 a-n, cell phones 132 a-n and smartwatches 142 a-n. In another organization network, organization users mayutilize additional devices. Cloud services 108 includes cloud-basedhosting services 118, web email services 128, video, messaging and voicecall services 138, streaming services 148, file transfer services 158,and cloud-based storage service 168. Data center 152 connects toorganization network 102 and cloud-based services 108 via public network145.

Continuing with the description of FIG. 1A, disclosed enhanced Netskopecloud access security broker (N-CASB) 155 securely processes P2P trafficover BT, FTP and UDP-based streaming protocols as well as Skype, voice,video and messaging multimedia communication sessions over SIP, and webtraffic over other protocols, in addition to governing access andactivities in sanctioned and unsanctioned cloud apps, securing sensitivedata and preventing its loss, and protecting against internal andexternal threats. N-CASB 155 includes active analyzer 165 andintrospective analyzer 175 that identify the users of the system and setpolicies for apps. Introspective analyzer 175 interacts directly withcloud-based services 108 for inspecting data at rest. In a polling mode,introspective analyzer 175 calls the cloud-based services using APIconnectors to crawl data resident in the cloud-based services and checkfor changes. As an example, Box™ storage application provides an adminAPI called the Box Content API™ that provides visibility into anorganization's accounts for all users, including audit logs of Boxfolders, that can be inspected to determine whether any sensitive fileswere downloaded after a particular date, at which the credentials werecompromised. Introspective analyzer 175 polls this API to discover anychanges made to any of the accounts. If changes are discovered, the BoxEvents API™ is polled to discover the detailed data changes. In acallback model, introspective analyzer 175 registers with thecloud-based services via API connectors to be informed of anysignificant events. For example, introspective analyzer 175 can useMicrosoft Office365 Webhooks API™ to learn when a file has been sharedexternally. Introspective analyzer 175 also has deep API inspection(DAPII), deep packet inspection (DPI), and log inspection capabilitiesand includes a DLP engine that applies the different content inspectiontechniques on files at rest in the cloud-based services, to determinewhich documents and files are sensitive, based on policies and rulesstored in storage 186. The result of the inspection by introspectiveanalyzer 175 is generation of user-by-user data and file-by-file data.

Continuing further with the description of FIG. 1A, N-CASB 155 furtherincludes monitor 184 that includes extraction engine 171, classificationengine 172, security engine 173, management plane 174 and data plane180. Also included in N-CASB 155, storage 186 includes content policies187, content profiles 188, content inspection rules 189, enterprise data197, information for clients 198 and user identities 199. Enterprisedata 197 can include organizational data, including but not limited to,intellectual property, non-public financials, strategic plans, customerlists, personally identifiable information (PII) belonging to customersor employees, patient health data, source code, trade secrets, bookinginformation, partner contracts, corporate plans, merger and acquisitiondocuments and other confidential data. In particular, the term“enterprise data” refers to a document, a file, a folder, a webpage, acollection of webpages, an image, or any other text-based document. Useridentity refers to an indicator that is provided by the network securitysystem to the client device, in the form of a token, a unique identifiersuch as a UUID, a public-key certificate, or the like. In some cases,the user identity can be linked to a specific user and a specificdevice; thus, the same individual can have a different user identity ontheir mobile phone vs. their computer. The user identity can be linkedto an entry or userid corporate identity directory, but is distinct fromit. In one implementation, a cryptographic certificate signed by thenetwork security is used as the user identity. In other implementations,the user identity can be solely unique to the user and be identicalacross devices.

Embodiments can also interoperate with single sign-on (SSO) solutionsand/or corporate identity directories, e.g. Microsoft's ActiveDirectory. Such embodiments may allow policies to be defined in thedirectory, e.g. either at the group or user level, using customattributes. Hosted services configured with the system are alsoconfigured to require traffic via the system. This can be done throughsetting IP range restrictions in the hosted service to the IP range ofthe system and/or integration between the system and SSO systems. Forexample, integration with a SSO solution can enforce client presencerequirements before authorizing the sign-on. Other embodiments may use“proxy accounts” with the SaaS vendor—e.g. a dedicated account held bythe system that holds the only credentials to sign in to the service. Inother embodiments, the client may encrypt the sign on credentials beforepassing the login to the hosted service, meaning that the networkingsecurity system “owns” the password.

Storage 186 can store information from one or more tenants into tablesof a common database image to form an on-demand database service (ODDS),which can be implemented in many ways, such as a multi-tenant databasesystem (MTDS). A database image can include one or more databaseobjects. In other implementations, the databases can be relationaldatabase management systems (RDBMSs), object oriented databasemanagement systems (OODBMSs), distributed file systems (DFS), no-schemadatabase, or any other data storing systems or computing devices. Insome implementations, the gathered metadata is processed and/ornormalized. In some instances, metadata includes structured data andfunctionality targets specific data constructs provided by cloudservices 108. Non-structured data, such as free text, can also beprovided by, and targeted back to cloud services 108. Both structuredand non-structured data are capable of being aggregated by introspectiveanalyzer 175. For instance, the assembled metadata is stored in asemi-structured data format like a JSON (JavaScript Option Notation),BSON (Binary JSON), XML, Protobuf, Avro or Thrift object, which consistsof string fields (or columns) and corresponding values of potentiallydifferent types like numbers, strings, arrays, objects, etc. JSONobjects can be nested and the fields can be multi-valued, e.g., arrays,nested arrays, etc., in other implementations. These JSON objects arestored in a schema-less or NoSQL key-value metadata store 148 likeApache Cassandra™ 158, Google's BigTable™, HBase™ Voldemort™, CouchDB™,MongoDB™, Redis™, Riak™, Neo4j™, etc., which stores the parsed JSONobjects using keyspaces that are equivalent to a database in SQL. Eachkeyspace is divided into column families that are similar to tables andcomprise of rows and sets of columns.

In one implementation, introspective analyzer 175 includes a metadataparser (omitted to improve clarity) that analyzes incoming metadata andidentifies keywords, events, user IDs, locations, demographics, filetype, timestamps, and so forth within the data received. Parsing is theprocess of breaking up and analyzing a stream of text into keywords, orother meaningful elements called “targetable parameters”. In oneimplementation, a list of targeting parameters becomes input for furtherprocessing such as parsing or text mining, for instance, by a matchingengine (not shown). Parsing extracts meaning from available metadata. Inone implementation, tokenization operates as a first step of parsing toidentify granular elements (e.g., tokens) within a stream of metadata,but parsing then goes on to use the context that the token is found into determine the meaning and/or the kind of information beingreferenced. Because metadata analyzed by introspective analyzer 175 arenot homogenous (e.g., there are many different sources in many differentformats), certain implementations employ at least one metadata parserper cloud service, and in some cases more than one. In otherimplementations, introspective analyzer 175 uses monitor 184 to inspectthe cloud services and assemble content metadata. In one use case, theidentification of sensitive documents is based on prior inspection ofthe document. Users can manually tag documents as sensitive, and thismanual tagging updates the document metadata in the cloud services. Itis then possible to retrieve the document metadata from the cloudservice using exposed APIs and use them as an indicator of sensitivity.

Continuing further with the description of FIG. 1A, system 100 caninclude any number of cloud-based services 108: point to point streamingservices, hosted services, cloud applications, cloud stores, cloudcollaboration and messaging platforms, and cloud customer relationshipmanagement (CRM) platforms. The services can include peer-to-peer filesharing (P2P) via protocols for portal traffic such as BitTorrent (BT),user data protocol (UDP) streaming and file transfer protocol (FTP);voice, video and messaging multimedia communication sessions such asinstant message over Internet Protocol (IP) and mobile phone callingover LTE (VoLTE) via the Session Initiation Protocol (SIP) and Skype.The services can handle Internet traffic, cloud application data, andgeneric routing encapsulation (GRE) data. A network service orapplication, or can be web-based (e.g., accessed via a uniform resourcelocator (URL)) or native, such as sync clients. Examples includesoftware-as-a-service (SaaS) offerings, platform-as-a-service (PaaS)offerings, and infrastructure-as-a-service (IaaS) offerings, as well asinternal enterprise applications that are exposed via URLs. Examples ofcommon cloud-based services today include Salesforce.com™, Box™,Dropbox™, Google Apps™, Amazon AWS™, Microsoft Office 365™, Workday™,Oracle on Demand™, Taleo™, Yammer™, Jive™, and Concur™.

In the interconnection of the elements of system 100, network 145couples computers 112 a-n, tablets 122 a-n, cell phones 132 a-n, smartwatches 142 a-n, cloud-based hosting service 118, web email services128, video, messaging and voice call services 138, streaming services148, file transfer services 158, cloud-based storage service 168 andN-CASB 155 in communication. The communication path can bepoint-to-point over public and/or private networks. Communication canoccur over a variety of networks, e.g. private networks, VPN, MPLScircuit, or Internet, and can use appropriate application programinterfaces (APIs) and data interchange formats, e.g. REST, JSON, XML,SOAP and/or JMS. All of the communications can be encrypted. Thiscommunication is generally over a network such as the LAN (local areanetwork), WAN (wide area network), telephone network (Public SwitchedTelephone Network (PSTN), Session Initiation Protocol (SIP), wirelessnetwork, point-to-point network, star network, token ring network, hubnetwork, Internet, inclusive of the mobile Internet, via protocols suchas EDGE, 3G, 4G LTE, Wi-Fi, and WiMAX. Additionally, a variety ofauthorization and authentication techniques, such as username/password,OAuth, Kerberos, SecureID, digital certificates, and more, can be usedto secure the communications.

Further continuing with the description of the system architecture inFIG. 1A, N-CASB 155 includes monitor 184 and storage 186 which caninclude one or more computers and computer systems coupled incommunication with one another. They can also be one or more virtualcomputing and/or storage resources. For example, monitor 184 can be oneor more Amazon EC2 instances and storage 186 can be Amazon S3™ storage.Other computing-as-service platforms such as Rackspace, Heroku orForce.com from Salesforce could be used rather than implementing N-CASB155 on direct physical computers or traditional virtual machines.Additionally, one or more engines can be used and one or more points ofpresence (POPs) can be established to implement the security functions.The engines or system components of FIG. 1A are implemented by softwarerunning on varying types of computing devices. Example devices are aworkstation, a server, a computing cluster, a blade server, and a serverfarm, or any other data processing system or computing device. Theengine can be communicably coupled to the databases via a differentnetwork connection. For example, extraction engine 171 can be coupledvia network(s) 145 (e.g., the Internet), classification engine 172 canbe coupled via a direct network link and security engine 173 can becoupled by yet a different network connection. For the disclosedtechnology, the data plane 180 POPs is hosted on the client's premisesor located in a virtual private network controlled by the client.

N-CASB 155 provides a variety of functions via a management plane 174and a data plane 180. Data plane 180 includes an extraction engine 171,a classification engine 172, and a security engine 173, according to oneimplementation. Other functionalities, such as a control plane, can alsobe provided. These functions collectively provide a secure interfacebetween cloud services 108 and organization network 102. Although we usethe term “network security system” to describe N-CASB 155, moregenerally the system provides application visibility and controlfunctions as well as security. In one example, thirty-five thousandcloud applications are resident in libraries that intersect with serversin use by computers 112 a-n, tablets 122 a-n, cell phones 132 a-n andsmart watches 142 a-n in organization network 102.

Computers 112 a-n, tablets 122 a-n, cell phones 132 a-n and smartwatches 142 a-n in organization network 102 include management clientswith a web browser with a secure web-delivered interface provided byN-CASB 155 to define and administer content policies 187, according toone implementation. N-CASB 155 is a multi-tenant system, so a user of amanagement client can only change content policies 187 associated withtheir organization, according to some implementations. In someimplementations, APIs can be provided for programmatically defining andor updating policies. In such implementations, management clients caninclude one or more servers, e.g. a corporate identities directory suchas a Microsoft Active Directory, pushing updates, and/or responding topull requests for updates to the content policies 187. Both systems cancoexist; for example, some companies may use a corporate identitiesdirectory to automate identification of users within the organizationwhile using a web interface for tailoring policies to their needs.Management clients are assigned roles and access to the N-CASB 155 datais controlled based on roles, e.g. read-only vs. read-write.

In addition to periodically generating the user-by-user data and thefile-by-file data and persisting it in metadata store 178, an activeanalyzer and introspective analyzer (not shown) also enforce securitypolicies on the cloud traffic. For further information regarding thefunctionality of active analyzer and introspective analyzer, referencecan be made to, for example, commonly owned U.S. Pat. Nos. 9,398,102(NSKO 1000-2); 9,270,765 (NSKO 1000-3); 9,928,377 (NSKO 1001-2); andU.S. patent application Ser. No. 15/368,246 (NSKO 1003-3); Cheng, Ithal,Narayanaswamy and Malmskog Cloud Security For Dummies, Netskope SpecialEdition, John Wiley & Sons, Inc. 2015; “Netskope Introspection” byNetskope, Inc.; “Data Loss Prevention and Monitoring in the Cloud” byNetskope, Inc.; “Cloud Data Loss Prevention Reference Architecture” byNetskope, Inc.; “The 5 Steps to Cloud Confidence” by Netskope, Inc.;“The Netskope Active Platform” by Netskope, Inc.; “The NetskopeAdvantage: Three “Must-Have” Requirements for Cloud Access SecurityBrokers” by Netskope, Inc.; “The 15 Critical CASB Use Cases” byNetskope, Inc.; “Netskope Active Cloud DLP” by Netskope, Inc.; “Repavethe Cloud-Data Breach Collision Course” by Netskope, Inc.; and “NetskopeCloud Confidence Index™” by Netskope, Inc., which are incorporated byreference for all purposes as if fully set forth herein.

For system 100, a control plane may be used along with or instead ofmanagement plane 174 and data plane 180. The specific division offunctionality between these groups is an implementation choice.Similarly, the functionality can be highly distributed across a numberof points of presence (POPs) to improve locality, performance, and/orsecurity. In one implementation, the data plane is on premises or on avirtual private network and the management plane of the network securitysystem is located in cloud services or with corporate networks, asdescribed herein. For another secure network implementation, the POPscan be distributed differently.

While system 100 is described herein with reference to particularblocks, it is to be understood that the blocks are defined forconvenience of description and are not intended to require a particularphysical arrangement of component parts. Further, the blocks need notcorrespond to physically distinct components. To the extent thatphysically distinct components are used, connections between componentscan be wired and/or wireless as desired. The different elements orcomponents can be combined into single software modules and multiplesoftware modules can run on the same hardware.

Moreover, this technology can be implemented using two or more separateand distinct computer-implemented systems that cooperate and communicatewith one another. This technology can be implemented in numerous ways,including as a process, a method, an apparatus, a system, a device, acomputer readable medium such as a computer readable storage medium thatstores computer readable instructions or computer program code, or as acomputer program product comprising a computer usable medium having acomputer readable program code embodied therein. The technologydisclosed can be implemented in the context of any computer-implementedsystem including a database system or a relational databaseimplementation like an Oracle™ compatible database implementation, anIBM DB2 Enterprise Server™ compatible relational databaseimplementation, a My SQL™ or PostgreSQL™ compatible relational databaseimplementation or a Microsoft SQL Server™ compatible relational databaseimplementation or a NoSQL non-relational database implementation such asa Vampire™ compatible non-relational database implementation, an ApacheCassandra™ compatible non-relational database implementation, aBigTable™ compatible non-relational database implementation or an HBase™or DynamoDB™ compatible non-relational database implementation. Inaddition, the technology disclosed can be implemented using differentprogramming models like MapReduce™, bulk synchronous programming, MPIprimitives, etc. or different scalable batch and stream managementsystems like Amazon Web Services (AWS)™, including Amazon ElasticsearchService™ and Amazon Kinesis™, Apache Storm™ Apache Spark™, ApacheKafka™, Apache Flink™, Truviso™, IBM Info-Sphere™, Borealis™ and Yahoo!S4™.

FIG. 1B shows a simplified block diagram for load balancing in a dynamicservice chain, with organization network 102 with user interface 152usable by security administrators to interact with the network securitysystem and cloud-based services described relative to FIG. 1A. Datacenter 152 includes Netskope cloud access security broker (N-CASB) 155with services 160. Many possible services can be selected by tenants forprocessing data flows of their users. The services selected for a tenantare referred to in the service chain for the tenant. A single tenant canhave multiple service chains configured for different types of datapackets and service chains can be reconfigured as the needs of a tenantevolve. One security service is a native service implemented by thesecurity service provider. Another security service is Internet ProtocolSecurity (IPsec) 161, a suite of protocols used in virtual privatenetworks (VPNs) to authenticate and encrypt the packets of data sentover the Internet protocol network (IPN). Another security service isapp firewall 162 that controls input, output, and access from, to, or byan application, by monitoring and potentially blocking the input,output, or system service calls that do not meet the configured securityservices policy. An example app firewall is web application firewall(WAF) for HTTP applications. Another security service is proxy analyzer163 that examines and classifies data files as sensitive or not usingcontent evaluation techniques described in U.S. Non Provisionalapplication Ser. No. 15/368,246, entitled “MIDDLE WARE SECURITY LAYERFOR CLOUD COMPUTING SERVICES” (Attorney Docket No. NSKO 1003-3) which isincorporated in full herein. Proxy analyzer 163 can function as afirewall service in one implementation. Yet another security service isintrusion prevention system (IPS) 164 that monitors a tenant's networkfor malicious activity or policy violations, often using a securityinformation and event management (SIEM) system to collect maliciousactivity and policy violations centrally. Services 160 also includes IPnetwork address translation (NAT) 166, which can remap one IP addressspace into another by modifying network address information in the IPheader of packets while they are in transit across a traffic routingdevice. User-by-user data and the file-by-file security data is storedin metadata store 178. In one implementation, the user-by-user data andthe file-by-file data is stored in a semi-structured data format likeJSON, BSON (Binary JSON), XML, Protobuf, Avro, or Thrift object, whichcomprises fields (or columns) and corresponding values of potentiallydifferent types like numbers, strings, arrays, and objects.

FIG. 2A shows a block diagram for security services in a services meshat data center 152. A data center can also be referred to as a point ofpresence (PoP), cluster or set of nodes. A node refers to a physicalmachine running multiple pods. In one implementation, one node runs twoto three pods, which each include a set of containers which runprocesses. Three to four containers run in a pod and a single processruns in a container, in one implementation. Each process runs a set ofthreads, often with one core provisioned per thread. In another examplecase, configurations with different numbers of pods and containers andprocesses can be configured in data center 152. Disclosed N-CASB 155includes high availability load balancing (HALB) controller 212,workload orchestrator 216, publish-subscribe rich context configurationstore 225 and infrastructure manager 222. Data center 152 includesservices 242, 244, 245, 246, 248 for processing data flows 232 at datacenter 152, with services 160 for IPsec 161, app firewall 162, proxyanalyzer 163, IPS 164, and NAT 166 described relative to FIG. 1Bearlier, along with any additional security services developed by thecloud security provider. Data center 152 includes an example set ofservices mapped to a set of pods for each of five different services,and can include additional pods and services (not shown), that processflows of packets: service 1 242 with pod A 252, pod B 262, pod C 272 andpod D 282; Service 2 244 with pod 1 254, pod 2 264 and pod 3 274;service 3 245 with pod 4 255, pod 5 265, pod 6 275, pod 7 285 and pod 8295; service 4 246 with pod 9 256, pod 10 266, pod 11 276, pod 12 286;and service 5 248 with pod 13 258 and pod 14 268. A pod is a group ofcontainers that are deployed on the same server, in one implementation.A Docker container running on a physical host is a lightweightself-contained environment sharing the host operating system, and withits own processor address space, memory address space and networkingaddress space with network layer resources including IP addresses andtransport layer resources including TCP port numbers. Each pod n caninclude multiple containers 288, in one implementation. Each containerutilizes a distributed service chain plugin to implement integrated loadbalancing with high availability via infrastructure manager 222 withinthe container, as represented by dotted connection 202 and a shaded areain the pods and described in detail later. Infrastructure manager 222utilizes the service chain for the tenant to determine which service toroute the packets to next. Infrastructure manager 222 also serves as thepod manager interface with HALB controller 212 and allocates IPaddresses for pods and acts as the interface to workload orchestrator216 as well as additional scheduling and management functionality.Infrastructure manager 222 provides routing services usable by theservices provided by other service vendors. Every container processesthe ingress and egress of packet flows, utilizing data plane developmentkit (DPDK) libraries and network interface controller (NIC) drivers toprocess packets and maintain state, and accelerating packet processingworkloads. Vector packet processing (VPP) interfaces with infrastructuremanager 222 and services 160 plugins.

Continuing with the description of FIG. 2A, workload orchestrator 216manages the clusters of pods, detecting new pod instances and droppedservice pods and storing configuration data and the status of the podsin publish-subscribe rich context configuration store 225, a distributedkey-value data store, resulting in a large lookup table with each podusing a number of entries in the table. Workload orchestrator 216detects each new pod instance and the scheduling map is integrated withDynamic Host Configuration Protocol (DHCP) automatic assignment of IPaddresses and related configuration information to the new pod instance.Publish-subscribe rich context configuration store 225 also stores theservices map that lists, by subscriber, the security services that eachtenant has contracted to receive from the security service provider. Inone example, workload orchestrator 216 is implemented using Kubernetesas the distributed system for assigning unique IP addresses and forscheduling to ensure enough available containers in pods. Kubernetes isa container orchestration system for automating deployment, scaling andmanagement. Publish-subscribe rich context configuration store 225utilizes etcd in one example; and in a different implementation aconfiguration store such as Apache ZooKeeper can be utilized.

Further continuing with the description of FIG. 2A, data flows 232 areprocessed by a sequential set of security services specified by theservice chain for the subscriber, as they traverse a data path to thecloud, via public network 145. Packets for a subscriber are classifiedon ingress at a distributed service chain plugin in a container in a podat data center 152 and are then forwarded through that set of functionsfor processing at a first service node that performs a first securityservice in a service chain. Based on the processing, the distributedservice chain plugin at the container determines a second service amongat least second and third services which the subscriber has selected,that should next handle the packet. Packets may be reclassified as aresult of this processing.

Data center 152 includes a set of pods that process packets for each offive different services in a services mesh in the example describedrelative to FIG. 2A. A large lookup table with each pod using a numberof entries in the table, is described relative to FIG. 2A. Packetsarrive for processing at data center 152 with packet structure 305described relative to FIG. 3. The disclosed distributed system for loadbalancing in a dynamic service chain deploys a software load balancer toeach Docker container in each pod that processes packets for a service.A consistent hashing algorithm is utilized to generate a consistenthashing table (CHT) for distributing packet traffic load for theservices specified for the tenant. The distributed hashing scheme allowsscaling of the number of containers without affecting the overallsystem. Maglev hashing, described in “Maglev: A Fast and ReliableSoftware Network Load Balancer” is utilized in one implementation. Adifferent consistent hashing algorithm could be used in anotherimplementation. The Maglev hash key is calculated using the 6-tuple forthe packet to be processed. The 6-tuple of a packet refers to the clientID, the source IP, source port, destination IP, destination port and IPprotocol number. The client ID information is stored in the added NSHheader, in one implementation.

The CHT represents the ports that are deployed, specifying the nodesthat are available to process packets. The CHT changes when a port isadded or a port is taken out of service, and specifies, for a given6-tuple, where to send the packet. Individual pods can store a localcopy of the CHT in a flow table to record the service chain specified inthe CHT for faster table access. Every container on every service podutilizes the same consistent hashing table (CHT) content that holds thelist of available pods. A service map lists the PODS and containers thatare available and identifies each service instance as having a primaryrole or a secondary role, in some implementations. In other cases, rolescan include four distinct roles: primary role, secondary role, tertiaryrole and quaternary role.

FIG. 2B illustrates a block diagram for a representative pod 254 of FIG.2A and shows the flow of a packet to a core for processing. Pod 254includes global flow table 235, n cores shown as core a 231, core p 233,core q 237 and core n 239. The number of cores can be configured basedon the expected traffic flow. One data center may have as little as onegigabit/sec of traffic while another data center may have aterabit/second of traffic and need as many as sixty-four cores. Each ofthe cores in pod 1 254 includes a local flow table 241, 243, 247, 249data structure in which the various security service modules, such asNAT and App firewall, store module-specific data. Also, each of thecores in pod 1 254 includes a flow module 251, 253, 257, 259 plugin witha set of nodes for distributing flow table functionality. Global flowtable 235 maps the 6 tuple of a packet (client ID, the source IP, sourceport, destination IP, destination port and IP protocol number) to a coreid. In one case, flow table 235 is implemented as a lockless flow table.A configurable value for each coreid, for example −1, can be used toindicate that a packet is part of an existing stream, with packetssprayed so that the same thread processes all packets from a given L4-L7data flow.

Continuing the description of FIG. 2B, packet flow 230 arrives at pod254 at NIC 240 and the packet gets sprayed to an arbitrary core in thefirst step. The outer UDP header 325 which was added to the originalpacket, with source port and destination port randomized, is used in thepacket spraying, to increase entropy in the selection of which core isto receive the packet. In this example the packet arrives at core p 233in step one. Flow module 253 of core p 233 does a lookup in local flowtable 243 to determine whether earlier packets in the stream wereprocessed by flow module 253. If no entry for the stream exists in localflow table 243, flow module 253 does a lookup in global flow table 235in step two, and sends the packet to the core that owns the flow (stepthree). A configurable-length unidirectional packet queue (not shown)that holds pointers to packets to be processed by that core is set upbetween each pair of cores. The cores process packets received fromqueues locally, using the local flow table (step four). When lookup inglobal flow table 235 results in a miss, a new entry is created, withthe current core as the owner. This is useful, since when receive sidescaling (RSS) is utilized, MC 240 keeps sending packets to the same coreas the earlier packets in the packet stream, in one implementation. Thatis, packets are sprayed in such a fashion so that the same threadprocesses all packets from a given flow. The architecture is applicableto both physical hardware and virtual machines (VMs), so VM NICs thatsupport RSS can be utilized for packet distribution. One or more NICsare utilized per pod in one implementation; and a single NIC can bevirtualized into many virtual functions (VFs) via single-rootinput/output virtualization (SR-IOV) and each pod includes one or moreVFs.

Packet Structure and Flow Routing Example

FIG. 3 shows an exemplary packet structure 305 after a network serviceheader (NSH), which provides metadata for exchange along instantiatedservice paths, is imposed on a packet. The NSH provides data planeencapsulation that utilizes the network overlay topology used to deliverpackets to the requisite services. The packet structure 305 includesoriginal packet L4-L7 data 355 and IPv4/IPv6 header 345 with source IPaddress and destination IP address for the packet, as well as additionalfield values. Packet structure 305 also includes NSH header withmandatory and optional type-length-value (TLV) data 335 with a servicechain with a list of services for the packet as specified by thesubscriber to the services, the name of the user (optionally) andadditional context information for exchange between service functions.The field list is not exhaustive of the fields that are included, butrather highlights key fields. An outer UDP header 325 is added to theoriginal packet, with source port and destination port randomized toincrease entropy for the selection of which core in a pod is to processthe packet for the service (from the list of services). When multiplepackets are part of a single flow, they can be mapped to the same podfor processing for the service. Packet structure 305 also includes outerIPv4 header 315, which includes the source address of the source pod forthe packet and the destination address for the destination pod for thepacket.

Next we describe an example for processing a stream of packets.Construct the 6-tuple using the data from an exemplary packet describedearlier. Access the service map for the packet, in the local flow table.If the service action is allowed, transmit the packet and update thestats. If the action is blocked, drop the packet and update the stats inthe flow table. If the action is allowed, assert action==inspect andAppID==inspecting and store the states in the flow table.

In a service map example described next, an app firewall securityservice instance uses the service map when making the decision of whereto send a received packet next after processing by the first service,accessing a flow table using outer IP header data carried by the packetto select a second service node, from among a plurality of service nodesperforming the second service in the service chain. The next step isrouting the packet to the selected second service node upon egress fromthe first service node. In this example, the service map shows ipsecservice is available on pod 8 and pod 9, appfwl is available on pod 1,pod 2 and pod 3, and IPS service is available on pod 4, pod 5 and pod 6.The example shows the IP addresses for each of pods 1, 2 and 3.Additional pod IP addresses are omitted for brevity.

Pods: { ipsec: [p8, p9], appfwl [p1, p2, p3], ips: [p4, p5, p6] }Ipaddrs: { p1: 1.1.1.1, p2: 1.1.1.2, p3: 1.1.1.3 ... } }

For the example, we use the Maglev load balancing algorithm to calculatethe CHT for each service (appfwl/ips) and we represent the hashed valuesas integers for simplicity. The hashed keys in the CHT are shown withassociated values next.

At IPsec pod: Appfwl: Key value 0 p1 1 p2 2 p2 3 p1 4 p3 5 p3 6 p1 7 p28 p3 . . .

At packet processing time, a packet is received, with the formatdescribed relative to FIG. 3: outer IP header 315, outer UDP header 325,NSH header 335 and inner payload which includes the header of theoriginal packet 345 and the data of the original packet 355. Todetermine where to send the packet next, the current service looks upthe next service in the service chain for the subscriber. For thisexample, we assume the next service is appfwl. The hash key isconstructed using the tenantid from NSH 335, and scrip, dstip, protocol,sport, dport 5-tuple from inner payload 355. For an example hash value4, look up the value for key=4 in the CHT shown earlier. The value is p3which refers to pod 3. We use the p3 value to look up the IP address ofp3. Then we set the destination IP dstip as 1.1.1.3 for pod 3 in theouter IP packet header 315, update the flow table to specify p3 as thesecond service node providing the second service and send the packet tothe appfwl service on pod 3. The example shows accessing an availablenodes list in a consistent hash table (CHT) of service nodes performingthe second service, selecting one of the available nodes using asix-tuple hash as a key to the CHT table to select the second servicenode, and updating the flow table to specify the second service node asproviding the second service for packets sharing the header data.

During real time ingress of packets to security services and egress ofprocessed packets from security services, with flows and pods running,infrastructure manager 222 and HALB controller 212 monitor utilizationof the available bandwidth for processing packets. If the traffic volumeto the data center 152 exceeds a configurable high water mark (100GBtraffic in one example implementation) or if traffic volumes spikebeyond a defined threshold, then HALB controller 212 signals workloadorchestrator 216 to provision a new pod to become available for theimpacted security service. In another implementation, the servicesprocessing packets can be performing functions different from securityservices. After the newly added pod is provisioned, workloadorchestrator 216 schedules the packets and streams coming in forprocessing. HALB controller 212 communicates the updated CHT thatincludes the added pod or pods to all the containers in all the pods andcan redistribute the load to lessen the traffic volume per workerservice in the system. In another case, a pod stops responding,effectively dropping out of service, and workload orchestrator 216updates the CHT to reflect the change in available pods and stores theupdated CHT in publish subscribe configuration store 225. HALBcontroller 212 accesses the updated CHT in publish subscribeconfiguration store 225 and communicates the updated CHT to theremaining pods. Future packets get processed by available services oncontainers in available pods.

State Synchronization for Service Assurance

FIG. 4A illustrates an example disclosed system for synchronization ofstates across multiple pods that supply a service, for improved recoveryfrom failure of a service instance in a service map. The example showssecurity service failure recovery map 405 for four example pods in aservices mesh, offering the same service. Pod A 402 handles pod A activestates 412, and additionally captures and stores pod B synchronizedstates 422, pod C synchronized states 423 and pod D synchronized states424. Similarly, pod B 408 handles pod B active states 418, andadditionally captures and stores pod A synchronized states 426, pod Csynchronized states 427 and pod D synchronized states 428. Continuingthe description of security service failure recovery map 405, pod C 452handles pod C active states 462, and additionally captures and storespod A synchronized states 472, pod C synchronized states 473 and pod Dsynchronized states 474. Similarly, pod D 458 handles pod D activestates 468, and additionally captures and stores pod A synchronizedstates 476, pod B synchronized states 477 and pod C synchronized states478. The state synchronization enables near real time recovery forpacket streams in instances in which a pod becomes inactive. Theremaining pods hold synchronized states for the pod that has becomeunavailable, so HALB controller 212 can balance the load among theremaining pods that are available.

FIG. 4B shows a specific synchronization example, with service instanceAA 411 and service instances BA 415 and BB 457 that perform services A433 and B 437, 467, respectively, in a service chain. Service instanceBA 415 is designated in the primary role for providing service B, soreceives from service instance AA 411 a first packet 435 in a stream fora subscriber. The first packet includes, in an added header, a streamaffinity code that is consistent for packets in the stream. In one case,the stream affinity code is an outer IP header such as has beendescribed earlier. In another example implementation, a differentencoding can be utilized. Service instance BA 415, in a primary rolespecified in a service map distributed to service instances, processesthe first packet by performing service B 437. Service instance BA 415identifies service instance BB 457 as having a secondary role specifiedin the service map distributed to service instances and synchronizesservice instance BA synced states 487 information with service instanceBB 457 after processing the first packet. For the sake of the example,we assume that service instance BA 415 becomes unresponsive for someperiod of time of at least 20 seconds. Monitoring agent (not shown)monitors packet flows at service instances and signals when containersand pods become unavailable, and the service map gets updated to reflectwhich service instances are available. Monitoring agent monitors metricsof each container and reports the metrics every 30 seconds to a metricutilization service, in one implementation. In one case, auto-scalingcan be configured.

Continuing the description of FIG. 4B, after failure of service instanceBA 415, service instance AA 411 receives an updated service map andprepares to forward a second packet, which includes the same streamaffinity code as the first packet, to service instance BA 415 forperformance of service B 437. Preparation includes determining from theupdated service map that the service instance BA 415 is no longeravailable, and determining from the updated service map that the serviceinstance BB 457 has the secondary role. Service A 433 at serviceinstance AA 411 forwards the second packet 465 to service B 467 atservice instance BB 457 instead of to service B 437 at service instanceBA 415.

Next, we describe an example workflow for load balancing in a dynamicservice chain, and a workflow for improved recovery from failure of aservice instance in a service chain that performs at least two services,using multiple service instances to perform the services.

Workflows

FIG. 5 shows a representative method of load balancing in a dynamicservice chain, for reducing latency and increasing availability andscalability in flexibly configurable data paths through service chainswhile applying security services.

Flowchart 500 can be implemented at least partially with a computer orother data processing system; that is, by one or more processorsconfigured to receive or retrieve information, process the information,store results, and transmit the results. Other implementations mayperform the actions in different orders and/or with different, fewer oradditional actions than those illustrated in FIG. 5. Multiple actionscan be combined in some implementations. For convenience, this flowchartis described with reference to a system which includes Netskope cloudaccess security broker (N-CASB) and load balancing in a dynamic servicechain while applying security services in the cloud.

The method described in this section and other sections of thetechnology disclosed can include one or more of the following featuresand/or features described in connection with additional methodsdisclosed. In the interest of conciseness, the combinations of featuresdisclosed in this application are not individually enumerated and arenot repeated with each base set of features.

FIG. 5 begins with action 515 for processing a packet for a subscriberat a first service pod that performs a first security service in aservice chain.

Process 500 continues at action 525, based on the processing,determining a second service, among at least second and third serviceswhich the subscriber has selected, that should next handle the packet.

Action 535 includes accessing a flow table using outer IP header datacarried by the packet to select a second service pod, from among aplurality of service pods performing the second service, which performthe second service in the service chain.

Action 545 includes routing the packet to the selected second servicepod upon egress from the first service pod.

If the flow table lacks an entry corresponding to the header data, takeaction 555 accessing an available pods list in a consistent hash(lookup) table (CHT) of service pods performing the second service.

At action 565, select one of the available pods using a six-tuple hashas a key to the CHT table to select the second service pod, and updatethe flow table to specify the second service pod as providing the secondservice for packets sharing the header data.

Other implementations may perform the actions in different orders and/orwith different, fewer or additional actions than those illustrated inFIG. 5. Multiple actions can be combined in some implementations. Forconvenience, this flowchart is described with reference to the systemthat carries out a method. The system is not necessarily part of themethod.

FIG. 7 shows a representative method for improved recovery from failureof a service instance in a service chain that performs at least servicesA and B, using service instance AA and service instances BA and BB toperform the services A and B, respectively.

Flowchart 700 can be implemented at least partially with a computer orother data processing system; that is, by one or more processorsconfigured to receive or retrieve information, process the information,store results, and transmit the results. Other implementations mayperform the actions in different orders and/or with different, fewer oradditional actions than those illustrated in FIG. 7. Multiple actionscan be combined in some implementations. For convenience, this flowchartis described with reference to a system which includes Netskope cloudaccess security broker (N-CASB), load balancing in a dynamic servicechain while applying security services in the cloud, and improvedrecovery from failure of a service instance, in a service chain ofservices.

The method described in this section and other sections of thetechnology disclosed can include one or more of the following featuresand/or features described in connection with additional methodsdisclosed. In the interest of conciseness, the combinations of featuresdisclosed in this application are not individually enumerated and arenot repeated with each base set of features.

FIG. 7 begins with action 715 for service instance BA receiving from theservice instance AA a first packet in a stream for a subscriber, inwhich the first packet includes in an added header a stream affinitycode that is consistent for packets in the stream.

Process 700 continues at action 725, with service instance BA, in aprimary role specified in a service map distributed to serviceinstances, processing the first packet by performing service B.

At action 735, service instance BA identifies service instance BB ashaving a secondary role specified in the service map distributed toservice instances, and synchronizing state information with serviceinstance BB after processing the first packet.

At action 745, after failure of service instance BA, service instance AAreceives an updated service map and prepares to forward a second packet,which includes the same stream affinity code as the first packet, toservice instance BA for performance of service B.

Action 755 includes determining from the updated service map thatservice instance BA is no longer available and determining from theupdated service map that the service instance BB has the secondary role.

At action 765, service instance AA forwards the second packet to serviceinstance BB instead of service instance BA.

Other implementations may perform the actions in different orders and/orwith different, fewer or additional actions than those illustrated inFIG. 7. Multiple actions can be combined in some implementations.

Computer System

FIG. 6 is a simplified block diagram of a computer system 600 that canbe used to implement load balancing in a dynamic service chain, forreducing latency and increasing availability and scalability in flexiblyconfigurable data paths through service chains while applying securityservices in the cloud. Computer system 600 is also usable to implementimproved recovery from failure of a service instance, in a service chainof services that perform at least services A and B, using serviceinstance AA and service instances BA and BB to perform the services Aand B, respectively. Computer system 600 includes at least one centralprocessing unit (CPU) 672 that communicates with a number of peripheraldevices via bus subsystem 655, and Netskope cloud access security broker(N-CASB) 155 for providing network security services described herein.These peripheral devices can include a storage subsystem 610 including,for example, memory devices and a file storage subsystem 636, userinterface input devices 638, user interface output devices 676, and anetwork interface subsystem 674. The input and output devices allow userinteraction with computer system 600. Network interface subsystem 674provides an interface to outside networks, including an interface tocorresponding interface devices in other computer systems.

In one implementation, Netskope cloud access security broker (N-CASB)155 of FIG. 1A and FIG. 1B is communicably linked to the storagesubsystem 610 and the user interface input devices 638.

User interface input devices 638 can include a keyboard; pointingdevices such as a mouse, trackball, touchpad, or graphics tablet; ascanner; a touch screen incorporated into the display; audio inputdevices such as voice recognition systems and microphones; and othertypes of input devices. In general, use of the term “input device” isintended to include all possible types of devices and ways to inputinformation into computer system 600.

User interface output devices 676 can include a display subsystem, aprinter, a fax machine, or non-visual displays such as audio outputdevices. The display subsystem can include an LED display, a cathode raytube (CRT), a flat-panel device such as a liquid crystal display (LCD),a projection device, or some other mechanism for creating a visibleimage. The display subsystem can also provide a non-visual display suchas audio output devices. In general, use of the term “output device” isintended to include all possible types of devices and ways to outputinformation from computer system 600 to the user or to another machineor computer system.

Storage subsystem 610 stores programming and data constructs thatprovide the functionality of some or all of the modules and methodsdescribed herein. Subsystem 678 can be graphics processing units (GPUs)or field-programmable gate arrays (FPGAs).

Memory subsystem 622 used in the storage subsystem 610 can include anumber of memories including a main random access memory (RAM) 632 forstorage of instructions and data during program execution and a readonly memory (ROM) 634 in which fixed instructions are stored. A filestorage subsystem 636 can provide persistent storage for program anddata files, and can include a hard disk drive, a floppy disk drive alongwith associated removable media, a CD-ROM drive, an optical drive, orremovable media cartridges. The modules implementing the functionalityof certain implementations can be stored by file storage subsystem 636in the storage subsystem 610, or in other machines accessible by theprocessor.

Bus subsystem 655 provides a mechanism for letting the variouscomponents and subsystems of computer system 600 communicate with eachother as intended. Although bus subsystem 655 is shown schematically asa single bus, alternative implementations of the bus subsystem can usemultiple busses.

Computer system 600 itself can be of varying types including a personalcomputer, a portable computer, a workstation, a computer terminal, anetwork computer, a television, a mainframe, a server farm, awidely-distributed set of loosely networked computers, or any other dataprocessing system or user device. Due to the ever-changing nature ofcomputers and networks, the description of computer system 600 depictedin FIG. 6 is intended only as a specific example for purposes ofillustrating the preferred embodiments of the present invention. Manyother configurations of computer system 600 are possible having more orless components than the computer system depicted in FIG. 6.

Particular Implementations

Some particular implementations and features for distributed routing andload balancing in a dynamic service chain, and for improved recoveryfrom failure of a service instance in a service chain of services aredescribed in the following discussion.

In one disclosed implementation, a method of distributed routing andload balancing in a dynamic service chain includes receiving a packetfor a subscriber at a first service instance, wherein the packetincludes an added header, which includes a stream affinity code that isconsistent for packets in a stream. The method also includes processingthe packet at the first service instance, wherein the first serviceinstance performs a first service in a service chain. The disclosedmethod further includes, based on the processing, the first serviceinstance determining a second service, among at least second and thirdservices to which the subscriber has subscribed, that should next handlethe packet. Also included is the first service instance accessing a flowtable using the stream affinity code to select a second serviceinstance, from among a plurality of service instances performing thesecond service, which performs the second service in the service chain,and the first service instance routing the packet to the selected secondservice instance upon egress from the first service instance.

The method described in this section and other sections of thetechnology disclosed can include one or more of the following featuresand/or features described in connection with additional methodsdisclosed. In the interest of conciseness, the combinations of featuresdisclosed in this application are not individually enumerated and arenot repeated with each base set of features. The reader will understandhow features identified in this method can readily be combined with setsof base features identified as implementations.

In some implementations of the disclosed method, the stream affinitycode is included in an added IP header as IP source and destination. Oneimplementation includes the first service instance routing the packet tothe selected second service instance by updating the added IP headerwith the IP destination of the selected second service instance. Thedisclosed method also includes hashing the stream affinity code toaccess the flow table. In one implementation, wherein the flow tablelacks an entry for the second service corresponding to the streamaffinity code in the added header, the method further includes accessinga consistent hash table (CHT) of service instances performing the secondservice, selecting an available instance using a six-tuple hash as a keyto the CHT table to select the second service instance, and updating theflow table to specify the second service instance as providing thesecond service for packets sharing the header. In some implementations,the disclosed method further includes selecting an alternate secondservice instance from the CHT and updating the flow table to specify thealternate second service instance. Some implementations also include anetwork service header (NSH) in the added header, which includes aclient ID, and wherein the six-tuple hash is generated using the clientID and using source IP, source port, destination IP, destination portand IP protocol number for the packet. IN some implementations of thedisclosed method, the flow table is maintained locally by the firstservice or instances of the first service.

In one implementation of the disclosed method, the service chain is asecurity service chain and at least the second and third services aresecurity services. In many implementations of the method, instances ofthe first, second and third services run in containers and thecontainers are hosted in pods. In some implementations of the disclosedmethod, instances of the first, second and third services areimplemented on virtual machines, bare metal servers or custom hardware.In some implementations, the packet further includes an added UDPheader, which includes UDP source and/or destination ports, wherein theUDP source and/or destination ports are random or pseudo random valuesthat are consistent for packets in a stream. This disclosed methodfurther includes determining a core, from multiple cores running thesecond service instance, using the UDP source and/or destination values,and forwarding the received packet to the determined core and applyingthe second service to the packet. The forwarding can be accomplished byspraying the packet, in some implementations.

Some implementations of the disclosed method also include hashing valuesof the UDP source and/or destination ports to a hash key and using thehash key when determining the core. For some implementations of thedisclosed method, instances of the first, second and third servicesinclude copies of a first code that implements multiple services. Forsome implementations, the disclosed method further includes the packetcarrying a service chain in a packet header and the second and thirdservices being among services specified in the service chain.

One implementation of a disclosed method of improved recovery fromfailure of a service instance, in a service chain of services thatperform at least services A and B, using service instance AA and serviceinstances BA and BB to perform the services A and B, respectively,includes the service instance BA receiving from the service instance AAa first packet in a stream for a subscriber, wherein the first packetincludes an added header which includes a stream affinity code that isconsistent for packets in the stream. The method also includes serviceinstance BA, in a primary role specified in a service map distributed toservice instances, processing the first packet by performing service B,and service instance BA identifying service instance BB as having asecondary role for packets carrying the stream affinity code, which isspecified in the service map distributed to service instances, andsynchronizing service instance BA state information with the serviceinstance BB after processing the first packet. The disclosed methodfurther includes, after failure of the service instance BA, serviceinstance AA receiving an updated service map, and preparing to forward asecond packet, which includes the same stream affinity code as the firstpacket, to service instance BA for performance of the service B,including determining from the updated service map that service instanceBA is no longer available, and determining from the updated service mapthat the service instance BB has the secondary role. The methodadditional includes forwarding the second packet to service instance BBinstead of service instance BA.

For some implementations, the service chain is a security service chainfor a subscriber and at least the service B is a security service. Forthe disclosed method, the stream affinity code is included in an addedheader as an added IP header as IP source and destination. Manyimplementations further include the packet carrying a service chain fora subscriber in an added packet header and service B being amongservices specified in the service chain.

For some implementations of the disclosed method, instances of service Aand service B run in containers and the containers are hosted in pods.In many cases, instances of service A and service B are implemented onvirtual machines, bare metal servers or custom hardware. For thedisclosed method, the failure of service instance BA is detected by amonitoring agent, including monitoring service instance BA, for packetprocessing activity, and causing updating of the service map for serviceB to remove the service instance BA from availability should it beinactive for a configurable predetermined amount of time. In oneexample, the configurable predetermined amount of time may be 15seconds. In another case, 30 seconds of inactivity may cause the serviceinstance to be considered “failed”.

Some implementations of the disclosed method further include serviceinstance BB processing the second packet and based on the processing,identifying a next service, among at least two additional services towhich the subscriber has subscribed, that should next handle the packet,and routing the processed second packet to the identified next serviceupon egress from service instance BB.

Many implementations of the disclosed method further include processinga plurality of packets in a stream through the service chain of servicesand directing the packets for processing, as a document, to a cloudaccess security broker (CASB) that controls exfiltration of sensitivecontent in documents stored on cloud-based services in use by users ofan organization, by monitoring manipulation of the documents.

Other implementations of the disclosed technology described in thissection can include a tangible non-transitory computer readable storagemedia, including program instructions loaded into memory that, whenexecuted on processors, cause the processors to perform any of themethods described above. Yet another implementation of the disclosedtechnology described in this section can include a system includingmemory and one or more processors operable to execute computerinstructions, stored in the memory, to perform any of the methodsdescribed above.

The preceding description is presented to enable the making and use ofthe technology disclosed. Various modifications to the disclosedimplementations will be apparent, and the general principles definedherein may be applied to other implementations and applications withoutdeparting from the spirit and scope of the technology disclosed. Thus,the technology disclosed is not intended to be limited to theimplementations shown, but is to be accorded the widest scope consistentwith the principles and features disclosed herein. The scope of thetechnology disclosed is defined by the appended claims.

What is claimed is:
 1. A method of improved recovery from failure of aservice instance, in a service chain of services that perform at leastservices A and B, using service instance AA and service instances BA andBB to perform the services A and B, respectively, the method including:the service instance BA receiving from the service instance AA a firstpacket in a stream for a subscriber, wherein the first packet includesan added header which includes a stream affinity code that is consistentfor packets in the stream; the service instance BA, in a primary rolespecified in a service map distributed to service instances, processingthe first packet by performing service B; the service instance BAidentifying the service instance BB as having a secondary role forpackets carrying the stream affinity code, which is specified in theservice map distributed to service instances, and synchronizing serviceinstance BA state information with the service instance BB afterprocessing the first packet; after failure of the service instance BA,the service instance AA receiving an updated service map, and preparingto forward a second packet, which includes the same stream affinity codeas the first packet, to the service instance BA for performance of theservice B, including: determining from the updated service map that theservice instance BA is no longer available; determining from the updatedservice map that the service instance BB has the secondary role; andforwarding the second packet to the service instance BB instead of theservice instance BA.
 2. The method of claim 1, wherein the service chainis a security service chain for a subscriber and at least the service Bis a security service.
 3. The method of claim 1, wherein the streamaffinity code is included in an added header as an added IP header as IPsource and destination.
 4. The method of claim 1, further including thepacket carrying a service chain for a subscriber in an added packetheader and the service B being among services specified in the servicechain.
 5. The method of claim 1, wherein instances of the service A andthe service B run in containers and the containers are hosted in pods.6. The method of claim 1, wherein instances of the service A and theservice B are implemented on virtual machines, bare metal servers orcustom hardware.
 7. The method of claim 1, wherein failure of theservice instance BA is detected by a monitoring agent, including:monitoring the service instance BA for packet processing activity; andcausing updating of the service map for the service B to remove theservice instance BA from availability should it be inactive for aconfigurable predetermined amount of time.
 8. The method of claim 1,further including the service instance BB: processing the second packetand based on the processing: identifying a next service, among at leasttwo additional services to which the subscriber has subscribed, thatshould next handle the packet; and routing the processed second packetto the identified next service upon egress from the service instance BB.9. The method of claim 1, further including processing a plurality ofpackets in a stream through the service chain of services and directingthe packets for processing, as a document, to a cloud access securitybroker (abbreviated CASB) that controls exfiltration of sensitivecontent in documents stored on cloud-based services in use by users ofan organization, by monitoring manipulation of the documents.
 10. Atangible non-transitory computer readable storage media, includingprogram instructions loaded into memory that, when executed onprocessors, cause the processors to implement a method of improvedrecovery from failure of a service instance in a service chain ofservices that perform at least services A and B, using service instanceAA and service instances BA and BB to perform the services A and B,respectively, the method including: the service instance BA receivingfrom the service instance AA a first packet in a stream for asubscriber, wherein the first packet includes an added header whichincludes a stream affinity code that is consistent for packets in thestream; the service instance BA, in a primary role specified in aservice map distributed to service instances, processing the firstpacket by performing service B; the service instance BA identifying theservice instance BB as having a secondary role for packets carrying thestream affinity code, which is specified in the service map distributedto service instances, and synchronizing service instance BA stateinformation with the service instance BB after processing the firstpacket; after failure of the service instance BA, the service instanceAA receiving an updated service map, and preparing to forward a secondpacket, which includes the same stream affinity code as the firstpacket, to the service instance BA for performance of the service B,including: determining from the updated service map that the serviceinstance BA is no longer available; and determining from the updatedservice map that the service instance BB has the secondary role; andforwarding the second packet to the service instance BB instead of theservice instance BA.
 11. The tangible non-transitory computer readablestorage media of claim 10, wherein the service chain is a securityservice chain for a subscriber and at least the service B is a securityservice.
 12. The tangible non-transitory computer readable storage mediaof claim 10, wherein the stream affinity code is included in an addedheader as an added IP header as IP source and destination.
 13. Thetangible non-transitory computer readable storage media of claim 10,wherein instances of the service A and the service B run in containersand the containers are hosted in pods.
 14. The tangible non-transitorycomputer readable storage media of claim 10, wherein instances of theservice A and the service B are implemented on virtual machines, baremetal servers or custom hardware.
 15. The tangible non-transitorycomputer readable storage media of claim 10, further including theservice instance BB: processing the second packet and based on theprocessing: identifying a next service, among at least two additionalservices to which the subscriber has subscribed, that should next handlethe packet; and routing the processed second packet to the identifiednext service upon egress from the service instance BB.
 16. A system forimproved recovery from failure of a service instance in a service chainof services that perform at least services A and B, using serviceinstance AA and service instances BA and BB to perform the services Aand B, respectively, the system including a processor, memory coupled tothe processor, and computer instructions from the non-transitorycomputer readable storage media of claim 10 loaded into the memory. 17.The system of claim 16, wherein the stream affinity code is included inan added header as an added IP header as IP source and destination. 18.The system of claim 16, further including the packet carrying a servicechain for a subscriber in an added packet header and the service B beingamong services specified in the service chain.
 19. The system of claim16, wherein failure of the service instance BA is detected by amonitoring agent, including: monitoring the service instance BA, forpacket processing activity; and causing updating of the service map forthe service B to remove the service instance BA from availability shouldit be inactive for a configurable predetermined amount of time.
 20. Thesystem of claim 16, further including, processing a plurality of packetsin a stream through the service chain of services and directing thepackets for processing, as a document, to a cloud access security broker(abbreviated CASB) that controls exfiltration of sensitive content indocuments stored on cloud-based services in use by users of anorganization, by monitoring manipulation of documents.